No-Brainer Startup Security Checklist

Startups, more than anything, are organizations built to move quickly and efficiently. Unfortunately, in the mad dash to product market fit, security often gets lost in the fray.

Information security is often thought of as a costly set of processes that slows everyone down, creating unnecessary bureaucracy in order to protect against an unknown, immeasurable threat.

Luckily, there are a number of simple, effective measures that can be taken to make your organization instantly more secure, with the click of a few buttons. Nothing in this list requires a developer, or even information security expertise. In many cases, sound security practices are a matter of knowing which settings to change.

Two-factor everything

Most organizations use a small number of core services that make up the majority of your organization's attack surface: email, chat, file sharing, and code repositories. Most of the services you're using across your company have organization-wide two-factor authentication, and you should enable and require it for your entire company.

This can't be emphasized enough: enabling two-factor auth is the single biggest security measure you can take to increase security at your company. It costs your company nothing, takes very little time to implement, and it significantly decreases the attack vectors available to attackers.

Use an authenticator app instead of SMS

While SMS-based two-factor auth is better than nothing, it has one major security flaw: it's tied to your cell phone number.

Your cell phone number is a growing attack target for carrying out phishing schemes and more sophisticated attacks that exploit the nature of the cellular system to intercept SMS messages in transit. This has been exploited most prominently to gain access to key accounts in order to steal cryptocurrency balances from their owners. In essence, attackers use a combination of social engineering (phishing) and weaknesses in cell phone providers' security protocols in order to temporarily intercept SMS messages that contain two-factor auth codes.

While this may seem like a sophisticated attack, it is not at all difficult to carry out, especially if the attacker has a specific target in mind, such as an executive at your company. The potential cost of switching to a dedicated authenticator app is far outweighed by the potential damage that could be done by an SMS-based attack. Often, all it takes is one compromised account to gain access to a treasure trove of information, especially if it were a person with a high level of access.

Google Apps

Go to Google Apps Admin Console > Security > Basic Settings

Click Go to advanced settings to enforce 2-step verification

UnderEnforcement, click Turn on enforcement now

Under Allowed 2-step verification methods, click Any to allow SMS as a two-factor source, or check Only Security Key to require the user of Google Authenticator, or a physical key.

Slack

Two-factor Auth

From the Slack top left menu, choose Administration > Workspace settings